Scene of the Cybercrime: Computer Forensics Handbook (eBook)

Cover 1
Contents 12
Foreword 26
Chapter 1 Facing the Cybercrime Problem Head On 33
Introduction 34
Quantifying the Crisis 35
Defining Cybercrime 36
Moving from the General to the Specific 37
Understanding the Importance of Jurisdictional Issues 38
Differentiating Crimes That Use the Net from Crimes That Depend on the Net 42
Collecting Statistical Data on Cybercrime 43
Understanding the Crime Reporting System 43
Categorizing Crimes for the National Reporting System 45
Toward a Working Definition of Cybercrime 47
U.S. Federal and State Statutes 47
International Law:The United Nations Definition of Cybercrime 49
Categorizing Cybercrime 50
Developing Categories of Cybercrimes 51
Violent or Potentially Violent Cybercrime Categories 51
Nonviolent Cybercrime Categories 55
Prioritizing Cybercrime Enforcement 65
Fighting Cybercrime 67
Determining Who Will Fight Cybercrime 67
Educating Cybercrime Fighters 69
Educating Legislators and Criminal Justice Professionals 70
Educating Information Technology Professionals 71
Educating and Engaging the Community 73
Getting Creative in the Fight Against Cybercrime 73
Using Peer Pressure to Fight Cybercrime 74
Using Technology to Fight Cybercrime 75
Finding New Ways to Protect Against Cybercrime 76
Summary 77
Frequently Asked Questions 78
Resources 79
Chapter 2 Reviewing the History of Cybercrime 81
Introduction 82
Exploring Criminality in the Days of Standalone Computers 83
Sharing More Than Time 84
The Evolution of a Word 84
Understanding Early Phreakers, Hackers, and Crackers 85
Hacking Ma Bell’s Phone Network 85
Phamous Phreakers 86
Phreaking on the Other Side of the Atlantic 86
A Box for Every Color Scheme 86
From Phreaker to Hacker 87
Living on the LAN: Early Computer Network Hackers 87
How BBSs Fostered Criminal Behavior 88
How Online Services Made Cybercrime Easy 89
Introducing the ARPANet:: the Wild West of Networking 90
Sputnik Inspires ARPA 91
ARPA Turns Its Talents to Computer Technology 91
Network Applications Come into Their Own 92
The Internetwork Continues to Expand 92
The ARPANet of the 1980s 92
The Internet of the 1990s 92
The Worm Turns—and Security Becomes a Concern 93
Watching Crime Rise with the Commercialization of the Internet 93
Bringing the Cybercrime Story Up to Date 94
Understanding How New Technologies Create New Vulnerabilities 94
Why Cybercriminals Love Broadband 95
Why Cybercriminals Love Wireless 99
Why Cybercriminals Love Mobile Computing 104
Why Cybercriminals Love Sophisticated Web and E-Mail Technologies 107
Why Cybercriminals Love E-Commerce and Online Banking 112
Why Cybercriminals Love Instant Messaging 116
Why Cybercriminals Love New Operating Systems and Applications 119
Why Cybercriminals Love Standardization 119
Planning for the Future: How to Thwart Tomorrow’s Cybercriminal 120
Summary 121
Frequently Asked Questions 122
Resources 123
Chapter 3 Understanding the People on the Scene 125
Introduction 126
Understanding Cybercriminals 128
Profiling Cybercriminals 130
Understanding How Profiling Works 131
Reexamining Myths and Misconceptions About Cybercriminals 134
Constructing a Profile of the Typical Cybercriminal 143
Recognizing Criminal Motivations 144
Recognizing the Limitations of Statistical Analysis 151
Categorizing Cybercriminals 151
Criminals Who Use the Net as a Tool of the Crime 152
Criminals Who Use the Net Incidentially to the Crime 159
Real-Life Noncriminals Who Commit Crimes Online 160
Understanding Cybervictims 161
Categorizing Victims of Cybercrime 162
Making the Victim Part of the Crime-Fighting Team 166
Understanding Cyberinvestigators 168
Recognizing the Characteristics of a Good Cyberinvestigator 168
Categorizing Cyberinvestigators by Skill Set 170
Recruiting and Training Cyberinvestigators 171
Facilitating Cooperation: CEOs on the Scene 172
Summary 174
Frequently Asked Questions 175
Resources 177
Chapter 4 Understanding Computer Basics 179
Introduction 180
Understanding Computer Hardware 181
Looking Inside the Machine 182
Components of a Digital Computer 182
The Role of the Motherboard 183
The Roles of the Processor and Memory 185
The Role of Storage Media 189
Why This Matters to the Investigator 195
The Language of the Machine 196
Wandering Through a World of Numbers 197
Who’s on Which Base? 197
Understanding the Binary Numbering System 198
Converting Between Binary and Decimal 199
Converting Between Binary and Hexadecimal 199
Converting Text to Binary 200
Encoding Nontext Files 201
Why This Matters to the Investigator 201
Understanding Computer Operating Systems 203
Understanding the Role of the Operating System Software 204
Differentiating Between Multitasking and Multiprocessing Types 205
Multitasking 205
Multiprocessing 206
Differentiating Between Proprietary and Open Source Operating Systems 207
An Overview of Commonly Used Operating Systems 209
Understanding DOS 209
Windows 1.x Through 3.x 211
Windows 9x (95, 95b, 95c, 98, 98SE, and ME) 213
Windows NT 215
Windows 2000 217
Windows XP 218
Linux/UNIX 220
Other Operating Systems 222
Understanding File Systems 225
FAT12 225
FAT16 226
VFAT 226
FAT32 226
NTFS 227
Other File Systems 228
Summary 229
Frequently Asked Questions 230
Resources 231
Chapter 5 Understanding Networking Basics 233
Introduction 234
Understanding How Computers Communicate on a Network 235
Sending Bits and Bytes Across a Network 236
Digital and Analog Signaling Methods 237
How Multiplexing Works 239
Directional Factors 240
Timing Factors 241
Signal Interference 242
Packets, Segments, Datagrams, and Frames 243
Access Control Methods 244
Network Types and Topologies 245
Why This Matters to the Investigator 247
Understanding Networking Models and Standards 247
The OSI Networking Model 248
The DoD Networking Model 250
The Physical/Data Link Layer Standards 252
Why This Matters to the Investigator 252
Understanding Network Hardware 253
The Role of the NIC 253
The Role of the Network Media 253
The Roles of Network Connectivity Devices 255
Why This Matters to the Investigator 263
Understanding Network Software 263
Understanding Client/Server Computing 264
Server Software 267
Client Software 268
Network File Systems and File Sharing Protocols 269
A Matter of (Networking) Protocol 270
Understanding the TCP/IP Protocols Used on the Internet 272
The Need for Standardized Protocols 272
A Brief History of TCP/IP 273
The Internet Protocol and IP Addressing 274
How Routing Works 281
The Transport Layer Protocols 286
The MAC Address 289
Name Resolution 289
TCP/IP Utilities 295
Network Monitoring Tools 301
Why This Matters to the Investigator 304
Summary 305
Frequently Asked Questions 306
Resources 309
Chapter 6 Understanding Network Intrusions and Attacks 311
Introduction 312
Understanding Network Intrusions and Attacks 314
Intrusions vs. Attacks 315
Recognizing Direct vs. Distributed Attacks 316
Automated Attacks 318
Accidental “Attacks” 319
Preventing Intentional Internal Security Breaches 320
Preventing Unauthorized External Intrusions 321
Planning for Firewall Failures 322
External Intruders with Internal Access 322
Recognizing the “Fact of the Attack” 323
Identifying and Categorizing Attack Types 324
Recognizing Pre-intrusion/Attack Activities 324
Port Scans 326
Address Spoofing 329
IP Spoofing 330
ARP Spoofing 330
DNS Spoofing 331
Placement of Trojans 332
Placement of Tracking Devices and Software 332
Placement of Packet Capture and Protocol Analyzer Software 334
Prevention and Response 336
Understanding Password Cracking 337
Brute Force 338
Exploitation of Stored Passwords 341
Interception of Passwords 343
Password Decryption Software 344
Social Engineering 345
Prevention and Response 346
General Password Protection Measures 346
Protecting the Network Against Social Engineers 347
Understanding Technical Exploits 347
Protocol Exploits 348
DoS Attacks That Exploit TCP/IP 348
Source Routing Attacks 355
Other Protocol Exploits 356
Application Exploits 356
Bug Exploits 356
Mail Bombs 357
Browser Exploits 357
Web Server Exploits 359
Buffer Overflows 360
Operating System Exploits 361
The WinNuke Out-of-Band Attack 361
Windows Registry Attacks 361
Other Windows Exploits 362
UNIX Exploits 363
Router Exploits 364
Prevention and Response 365
Attacking with Trojans,Viruses, and Worms 366
Trojans 368
Viruses 369
Worms 370
Prevention and Response 371
Hacking for Nontechies 372
The Script Kiddie Phenomenon 372
The “Point and Click” Hacker 373
Prevention and Response 374
Summary 375
Frequently Asked Questions 376
Resources 378
Chapter 7 Understanding Cybercrime Prevention 381
Introduction 382
Understanding Network Security Concepts 383
Applying Security Planning Basics 384
Defining Security 384
The Importance of Multilayered Security 385
The Intrusion Triangle 385
Removing Intrusion Opportunities 386
Talking the Talk: Security Terminology 387
Importance of Physical Security 389
Protecting the Servers 391
Keeping Workstations Secure 391
Protecting Network Devices 392
Understanding Basic Cryptography Concepts 396
Understanding the Purposes of Cryptographic Security 396
Authenticating Identity 398
Providing Confidentiality of Data 404
Ensuring Data Integrity 404
Basic Cryptography Concepts 405
Scrambling Text with Codes and Ciphers 405
What Is Encryption? 408
Securing Data with Cryptographic Algorithms 410
How Encryption Is Used in Information Security 412
What Is Steganography? 416
Modern Decryption Methods 417
Cybercriminals’ Use of Encryption and Steganography 418
Making the Most of Hardware and Software Security 419
Implementing Hardware-Based Security 419
Hardware-Based Firewalls 419
Authentication Devices 420
Implementing Software-Based Security 423
Cryptographic Software 423
Digital Certificates 424
The Public Key Infrastructure 424
Software-Based Firewalls 425
Understanding Firewalls 426
How Firewalls Use Layered Filtering 427
Packet Filtering 427
Circuit Filtering 428
Application Filtering 429
Integrated Intrusion Detection 430
Forming an Incident Response Team 430
Designing and Implementing Security Policies 433
Understanding Policy-Based Security 433
What Is a Security Policy? 434
Why This Matters to the Investigator 435
Evaluating Security Needs 436
Components of an Organizational Security Plan 436
Defining Areas of Responsibility 436
Analyzing Risk Factors 438
Assessing Threats and Threat Levels 439
Analyzing Organizational and Network Vulnerabilities 441
Analyzing Organizational Factors 444
Considering Legal Factors 445
Analyzing Cost Factors 445
Assessing Security Solutions 446
Complying with Security Standards 447
Government Security Ratings 447
Utilizing Model Policies 448
Defining Policy Areas 449
Password Policies 449
Other Common Policy Areas 452
Developing the Policy Document 453
Establishing Scope and Priorities 454
Policy Development Guidelines 454
Policy Document Organization 455
Educating Network Users on Security Issues 457
Policy Enforcement 457
Policy Dissemination 458
Ongoing Assessment and Policy Update 458
Summary 459
Frequently Asked Questions 460
Resources 462
Chapter 8 Implementing System Security 463
Introduction 464
How Can Systems Be Secured? 465
The Security Mentality 465
Elements of System Security 467
Implementing Broadband Security Measures 468
Broadband Security Issues 471
Deploying Antivirus Software 473
Defining Strong User Passwords 476
Setting Access Permissions 476
Disabling File and Print Sharing 477
Using NAT 478
Deploying a Firewall 480
Disabling Unneeded Services 481
Configuring System Auditing 481
Implementing Browser and E-Mail Security 484
Types of Dangerous Code 486
JavaScript 486
ActiveX 487
Java 487
Making Browsers and E-Mail Clients More Secure 488
Restricting Programming Languages 488
Keep Security Patches Current 489
Cookie Awareness 489
Securing Web Browser Software 490
Securing Microsoft Internet Explorer 490
Securing Netscape Navigator 494
Securing Opera 496
Implementing Web Server Security 497
DMZ vs. Stronghold 498
Isolating the Web Server 499
Web Server Lockdown 500
Managing Access Control 500
Handling Directory and Data Structures 500
Scripting Vulnerabilities 501
Logging Activity 502
Backups 502
Maintaining Integrity 502
Rogue Web Servers 503
Understanding Security and Microsoft Operating Systems 503
General Microsoft Security Issues 504
NetBIOS 504
Widespread Automated Functionality 505
IRDP Vulnerability 506
NIC Bindings 506
Securing Windows 9x Computers 507
Securing a Windows NT 4.0 Network 510
Securing a Windows 2000 Network 513
Windows .NET:The Future of Windows Security 515
Understanding Security and UNIX/Linux Operating Systems 515
Understanding Security and Macintosh Operating Systems 519
Understanding Mainframe Security 521
Understanding Wireless Security 522
Summary 525
Frequently Asked Questions 526
Resources 527
Chapter 9 Implementing Cybercrime Detection Techniques 531
Introduction 532
Security Auditing and Log Files 534
Auditing for Windows Platforms 535
Auditing for UNIX and Linux Platforms 540
Firewall Logs, Reports, Alarms, and Alerts 542
Understanding E-Mail Headers 548
Tracing a Domain Name or IP Address 554
Commercial Intrusion Detection Systems 556
Characterizing Intrusion Detection Systems 557
Commercial IDS Players 562
IP Spoofing and Other Antidetection Tactics 564
Honeypots, Honeynets, and Other “Cyberstings” 565
Summary 568
Frequently Asked Questions 571
Resources 574
Chapter 10 Collecting and Preserving Digital Evidence 577
Introduction 578
Understanding the Role of Evidence in a Criminal Case 580
Defining Evidence 581
Admissibility of Evidence 583
Forensic Examination Standards 584
Collecting Digital Evidence 584
The Role of First Responders 585
The Role of Investigators 586
The Role of Crime Scene Technicians 587
Preserving Digital Evidence 590
Preserving Volatile Data 591
Disk Imaging 592
A History of Disk Imaging 592
Imaging Software 593
Standalone Imaging Tools 595
Role of Imaging in Computer Forensics 595
“Snapshot”Tools and File Copying 595
Special Considerations 596
Environmental Factors 596
Retaining Time and Datestamps 597
Preserving Data on PDAs and Handheld Computers 597
Recovering Digital Evidence 598
Recovering “Deleted” and “Erased” Data 599
Decrypting Encrypted Data 600
Finding Hidden Data 600
Where Data Hides 601
Detecting Steganographic Data 601
Alternate Datastreams 602
Methods for Hiding Files 603
The Recycle Bin 604
Locating Forgotten Evidence 604
Web Caches and URL Histories 604
Temp Files 606
Swap and Page Files 607
Recovering Data from Backups 609
Defeating Data Recovery Techniques 610
Overwriting the Disk 611
Degaussing or Demagnetizing 612
Physically Destroying the Disk 612
Documenting Evidence 613
Evidence Tagging and Marking 613
Evidence Logs 613
Documenting Evidence Analysis 614
Documenting the Chain of Custody 615
Computer Forensics Resources 615
Computer Forensics Training and Certification 616
Computer Forensics Equipment and Software 617
Computer Forensics Services 618
Computer Forensics Information 619
Understanding Legal Issues 619
Searching and Seizing Digital Evidence 620
U.S. Constitutional Issues 621
Search Warrant Requirements 623
Search Without Warrant 626
Seizure of Digital Evidence 629
Forfeiture Laws 630
Privacy Laws 630
The Effects of the U.S. Patriot Act 631
Summary 634
Frequently Asked Questions 635
Resources 637
Chapter 11 Building the Cybercrime Case 639
Introduction 640
Major Factors Complicating Prosecution 641
Difficulty of Defining the Crime 641
Bodies of Law 642
Types of Law 648
Levels of Law 650
Basic Criminal Justice Theory 652
Elements of the Offense 656
Level and Burden of Proof 657
Jurisdictional Issues 658
Defining Jurisdiction 658
Statutory Law Pertaining to Jurisdiction 661
Case Law Pertaining to Jurisdiction 662
International Complications 663
Practical Considerations 663
The Nature of the Evidence 664
Human Factors 665
Law Enforcement “Attitude” 665
The High-Tech Lifestyle 667
Natural-Born Adversaries? 667
Overcoming Obstacles to Effective Prosecution 668
The Investigative Process 669
Investigative Tools 671
Steps in an Investigation 678
Defining Areas of Responsibility 682
Testifying in a Cybercrime Case 682
The Trial Process 683
Testifying as an Evidentiary Witness 684
Testifying as an Expert Witness 684
Giving Direct Testimony 685
Cross-Examination Tactics 686
Using Notes and Visual Aids 686
Summary 688
Frequently Asked Questions 689
Resources 690
Afterword 691
Appendix: Fighting Cybercrime on a Global Scale 695
Index 731
Related Titles 751